noexec for security

Posted by Doug Tue, 08 Nov 2005 11:27:07 GMT

I don’t know why I didn’t think of this myself, but I just changed /tmp to mount noexec. Lately I’ve been having problems on my server with clients uploading stuff to their /cgi-bin/ or PHP code to their docroot that has security vulnerabilities. I don’t have anything in place (yet!) to monitor what they upload, so I’m caught by surprise when something happens.

Changing /tmp to noexec is an obvious improvement. My web server doesn’t run as root, so /tmp is a common place for exploits to download, compile and run stuff. The noexec option cuts that last step off. Assuming I’m not the last sys admin to figure this out, I encourage you to do the same.

By the way, it turned out to be very simple to affect the change after editing the /etc/fstab:

sudo mount -o remount /tmp

Now on to write some report that will let me know what stuff my clients have installed…

Posted in ,  | Tags  | 1 comment

Comments

  1. Eric-Olivier Lamey said 2 days later:

    http://lists.debian.org/debian-glibc/2003/10/msg00539.html

RSS feed for this post

Comments are disabled

Copyright 2001 - 2005 by Lathi.net and Doug Alcorn

Creative Commons, Some Rights Reserved Ruby on Rails Developer Powered by Debian GNU/Linux Powered by Typo